If you keep hearing about ransomware attacks and realized you have no idea what to do if your small business were targeted, you’re not alone. Panic makes mistakes more likely, so the best outcome comes from calm, immediate, and sensible actions. Below are clear, practical first steps you can take the moment you suspect a ransomware incident, plus short-term recovery and prevention guidance.
Immediate actions — what to do in the first 15–60 minutes
1. Isolate affected devices
Disconnect the infected computer or device from the network immediately. Unplug the Ethernet cable or disable Wi‑Fi. Do not simply shut down if you can avoid it — powering down can sometimes destroy volatile evidence; instead isolate to prevent the malware from spreading to network shares, backup systems, or cloud sync services.
2. Stop the spread
Disconnect networked devices that may be at risk: servers, other workstations, network-attached storage (NAS), point-of-sale terminals, and printers. If you use centralized backups, ensure they are not reachable from the infected machine. Quick isolation is the difference between a single compromised workstation and a full-site outage.
3. Preserve evidence
Make basic records: time of discovery, screenshots of ransom notes or messages, filenames, and affected systems. Note accounts or credentials in use. Avoid wiping logs or rebooting critical systems unless instructed by a professional. Preserving forensic evidence helps incident responders and law enforcement, and may be important for insurance claims.
Who to contact right away
4. Contact your IT support or an incident response professional
If you have an IT vendor or managed service provider, contact them immediately. If not, engage a reputable cyber incident response firm experienced with ransomware. Professionals can help determine scope, isolate systems safely, and begin recovery. If you need guidance on known resources and best practices, the US Cybersecurity and Infrastructure Security Agency offers concise guidance at CISA.
5. Notify law enforcement and report the attack
Report ransomware to local law enforcement and to national reporting bodies such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. Even if you choose not to pay, reporting helps authorities track criminal activity and may provide leads or support.
Containment, recovery and communication
6. Don’t rush to pay
Paying a ransom is not a guarantee you’ll get your data back, and it encourages criminal activity. Evaluate options with your incident responders, legal counsel, and insurance provider. For decryption keys and advice on specific ransomware strains, see community resources like No More Ransom which sometimes publishes free decryptors.
7. Restore from verified backups
If you have recent, clean backups that were not compromised, restoring from backup is usually the fastest route to recovery. Before restoring, ensure the malware is fully removed and that the backup itself was not infected or encrypted. Verify backup integrity, change passwords, and re-image machines as necessary rather than trusting potentially compromised endpoints.
8. Communicate with stakeholders
Inform employees about the incident and provide clear instructions (e.g., do not connect personal devices to the network). If customer data is affected, consult legal counsel about notification obligations. Keep communications factual and timely; a transparent response can preserve trust.
Prevention steps to reduce future risk
9. Harden accounts and access
Require multi-factor authentication (MFA) on business email and remote access. Implement least-privilege permissions so users operate with only the access they need. Enforce strong password policies and consider a managed password vault.
10. Backups, patching and monitoring
Maintain offline and offsite backups with regular testing. Patch operating systems and critical software promptly, and deploy endpoint protection that includes anti‑malware and behavior-based detection. Use logging and monitoring so you can detect anomalies early.
11. Training and tabletop exercises
Teach employees how to spot phishing emails — the most common initial vector for ransomware. Run simple tabletop exercises so everyone knows who to call and what to do if an incident occurs. Preparation reduces panic and speeds response.
Ransomware is a serious threat, but pragmatic preparation and a calm, methodical response will make the difference. Isolate quickly, involve professionals, preserve evidence, and rely on verified backups rather than emotion-driven decisions. Use the incident as a catalyst to strengthen defenses: better backups, MFA, patching, and employee training turn an unlucky event into an opportunity to emerge more resilient.
